Steve Riley on Security

Formerly of Microsoft's Trustworthy Computing Group.

Poll: do you use scheduled scans for malware?

Poll: do you use scheduled scans for malware?

  • Comments 18
  • Likes

An  interesting comment recently appeared on my older post about whether or not to use antimalware software. Peter van Dam wondered whether scheduled scans are really necessary, given that anti-malware products scan files as they enter (and sometimes exit) a computer.

He raises a good point, and I’m curious what all of you think? Do you use scheduled scans? If so, why? If not, is it because you’ve decided the same as Peter?

Comments
  • I use scheduled scans as my last line of defense against malware.  I scan the data in real time as it traverses every sort of medium that I can imagine, but I use the scheduled scans in an attempt to cover methods of infection that I haven't thought of.  I also use the scheduled scans to rescan my data with the latest virus defs.  I may have scanned the file when it was first written, but perhaps I didn't have a definition for that malware type at that time.

    My scheduled scans rarely find anything, but there have been enough finds over the past few years to prove to me that they are worth it.

  • I agree security is all about layers, no harm in multiple scans of a file if it is spare cpu. Scan at the border with av vendor a, scan on the mail server with vendor b, active scan on the client with vendor c :)

    Then schedule scan with vendor c and or D on the client just to be sure.

  • On my own machines I don't do either, but I have in the past used Trend Micro's House Call to do a one off scan if I suspect something is odd. I haven't picked up anything yet.

  • I run scheduled scans simply to pick up things that may be caught with newer definition files (so, documents at rest may get scanned again with newer definition files).

    Although, you could argue that if it's there and been used and you didn't pick it up the first time, you may have already been owned :)  I think it provides some small extra protection in some instances of platform specific attack (specifically, where the document server and client are different operating and/or application software versions).

  • If I bother to do AV, then yep - I schedule

    AV uses a limited range of API's, if you can slip the data through an unmonitired one - it's on the system. Now hopefully the next api used to open the data will catch it, but if you acknowlege the "limited api scope" - then scheduled scans are the best defence.

    eg. I know this used to be the case

    A file saved to a file server running Symantec AV would not scan the file. Trend would. That API was not part of the system, as the server was not technically "infected", just storing it, and when the file was opened on the server (if ever) or on the client - the principle was it would be picked up then.

    Not sure of current versions.

  • I do use scheduled scans.

    Whilst anti-malware products do scan stuff as it comes in, and sometimes out, the one I'm using does generate false positives on a couple of websites I use. So much so that I will disable it while I use them.

    Bad, and I should know better, but I'm comfotable enough behind my other IDS/proxy and firewall, and that I don't use anything other programs or web site while I'm doing so, that I'm can be reasonably confident that I'm malware free.

    But, my point is that there are times when the automatic scans might not function. Doing a scheduled scan (and yielding a report) gives you an assurance that it is doing something.

    Of course, logically, if a rootkit bypassed the incoming scan somehow, then a scheduled scan won't pick it up because at that point it's installed and the scanner won't detect it. But, can you really ever have 100% assurance?

  • Twice a week during the night, mainly because I could have downloaded an infected file containing a virus/malware which was not contained in the definitions when the infection occured.

  • Interesting point. If you would download an infected file and run it, you're owned. Running a scheduled scan afterwards, even if the AV recognizez the infection will not get your computer cleaned, considering how AVs are notoriously bad at removing active infections. (or maybe it doesn't detect it at all if the infection is bundled with a rootkit)

    Current Anti-virus technology for workstations is only preventive. If it can detect a threat before you run it on your system, you're lucky. If it didn't detect it and you run it, than the system is compromised and you cannot trust a proccess running (the av engine) on compromised machine to disinfect the machine.

    I see the benefit of scheduled scans on Sharepoint servers and File servers. Where data is going in and out all the time and if you upload an infected file on a share and the automatic scanner doesn't catch it, after the definitions update, the scheduled scanner catches the infection thus limiting the amount of clients that download the infected file.

  • I schedule daily scans for all desktops and servers I manage. As others have said, AV software can pick up stuff with newer definitions that it missed at the time of "entrance" to the computing environment. It's not always 100% successful because if malware gets in the machine its first order of business is to cripple the AV software (if the user is an admin of the machine) but at that point I know something is wrong when the machine 'forgets' to run those daily scans.

    If something is found, it may not be cleaned but at least I will know that something is there and take appropriate measures (do forensics to find out how it got on the machine, reload the computer, educate the user with a stun gun ;) )

  • Using schedule scan depend on size of company. Some security expert recommend to general user to do scanning every month and some recommend every week. Doing schedule scan is neccery because:

    1-You may disable Anti-Malware for a while and your system infected in that time. 2-A new malware (specially rootkit or trojan discoverd and Malware manufactor will release a new update for it but as long as it is trojan it will not do action unless you active it. In large enterprise company daily scanning is neccery because they are people who tries to damage you. My recommend is to do Quick scan every day it will scan sensitive area only and it take a few minute not long hour. And a full scan every month just in case. There is a case that you travel and you did not update your PC for a month and during that time malware come to your PC and if you do full scan it will detect. Note that schadule scan are protect your PC against Trojan and rootkit and most spyware. worm and virus are do active damage not hide like trojan and they are detect by real-time-protection in most of time but trojan and rootkit are hide behind the system and new update will protect and to use those update you should do scan. Steve, about your note about using or not use Anti-Malware, your company have full protected with 10 Anti-Malware in Forefront how could someone send you an email with Malware when it scan with 10 Malware before reach you, just joking :-)

  • I just install a anti virus/malware application and do a full scan. Then I scan everything on entry into the computer. To be a good netizen I should really scan things as they leave my computer as well.

    I used an antivirus application a while back that allowed me to scan a random number of files per day. So everyday 50 random files would be scanned, and if any of those had a virus, I would then scan the whole computer. Unfortunately I have forgotten the name of that application. Maybe it's a common feature just that I haven't looked for it lately?

  • Always use a scheduled scan. Although it's never found anything as yet there is a small chance of something nasty getting through which is not on the current definition list. Also great care with what to do with it - as a developer I think that you're more likely to get a false negative and I don't want to find loads of work removed!

  • I never use 'scheduled' scans for any of the anti-malware products that I use. One main reason is that I like to do everything manually. Everytime I download a file, I manually scan it. It's not that hard to do and it's just a matter of making it a habit. Also like what Peter pointed out, good antimalware products scan everything in real-time anyways I agree with his point about not needing scheduled scans.

    Unless somehow the 'scheduled scan' was more thorough with it's scanning mechnism than a manual scan, then yes, I would consider it.

  • Nope. If my protection didnt find it on the way in then the only other options are 1) scheduled which doesnt actually prevent anything, after all there was nothing happening with the file at the time, 2) on subsequent access.

    The argument that schedule will pick up due to newer def's etc is exactly true of the on access scan so to me all your doing with a scheduled scan is driving up machine and HDD utilisation and generating unneeded greehouse gasses. If your HDD must do something after hours then get it to run defrag or build search indexs, something that will have a posative return on the energy invested...

  • I'm currently scanning all clients 1x/week- and it's too often. I'd like to stop scheduled scans entirely, because the AV program we have to use has such an impact on user performance when the scans run, despite our & the vendor's best efforts.

    We get very little value from the very small number of viruses detected in these scans compared to that high cost.

    Of course when we do have active virus outbreaks detected, even at very low thresholds, we can quickly react and stop anything that is *active* on our network. If that & similar capabilities wasn't there we'd have a different stance.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment